[stalk:00635] Re: ISAPI OVERFLOW

[Yasuo Miyakawa <miyakawa@xxxxxxxxx>]

　□■□■□■□■□■□■□■□■  中小企業様、個人事業者様、必見!!
　■　インターネットで仕事獲得　□　 ●Web構築、印刷、会計処理、翻訳●
　□ 　　　　楽天ビジネス　　　 ■　 ●全国の見込案件を次々ご紹介！ ●
　■□■□■□■□■□■□■□■□　 ●今なら参加特典もつきます！　 ●
　　 Click!⇒ http://business.rakuten.co.jp/apply/index.cfm?afl=fvq 
------------------------------------------------------------------------


みやかわ＠休みです。

# うちも 7/18 12:45 には「緊急対策情報」を更新しました。

情報源を追記しておきます。
また、SANS からも
  Special Alert: Code Red Warning, plus Research Update
が届いています。


At 午後 02:30 01/07/20 +0900, jawfish wrote:

>wormにやられたIISは、ホワイトハウスに対してDDoSをかます
>エージェントってことですかね？
>
>BUGTRAQ
>Re: Full analysis of the .ida "Code Red" worm.
>http://www.securityfocus.com/archive/1/198198
>
>2001/07/20 12:09
>MICKYさん wrote:
> > 今回のCodeRedWormですけど、なんか被害を受けたホストが広まって
> > いくと、サイト書き換えの被害とかよりも、DDoS攻撃的な意味合い
> > の方が強くなっていきません？


1.（報道）
IIS worm made to packet Whitehouse.gov
http://www.theregister.co.uk/content/55/20474.html

2.（分析）
.ida "Code Red" Worm
http://www.eeye.com/html/Research/Advisories/AL20010717.html

3.（警報）
**** SANS Security Alert *****
Plus a status update of interest to most security professionals.

--
1.
IIS worm made to packet Whitehouse.gov
http://www.theregister.co.uk/content/55/20474.html
By Thomas C Greene in Washington
Posted: 19/07/2001 at 09:35 GMT

One of the more curious features of the worm is that
some of the infected systems
(we think those using other than US English versions of Win-NT, but the 
eEye bulletin is confusing)
will periodically send 100k to port 80 at whitehouse.gov.

--
2.
.ida "Code Red" Worm
http://www.eeye.com/html/Research/Advisories/AL20010717.html
Release Date:
July 17, 2001

Attack www.whitehouse.gov functionality
---------------------------------------
Sooner or later every thread within the worm seems to shift its attacking 
focus to www.whitehouse.gov.

1. Create socket and connect to www.whitehouse.gov on port 80 and send 100k 
bytes of data (1 byte at a time).
CODEREF: seg000:000008AD WHITEHOUSE_SOCKET_SETUP

Initially the worm will create a socket and connect to 198.137.240.91 
(www.whitehouse.gov/www1.whitehouse.gov) on port 80.

CODEREF: seg000:0000092F WHITEHOUSE_SOCKET_SEND
If this connection is made then the worm will create a loop that performs 
18000h single byte SEND()'s to www.whitehouse.gov.

CODEREF: seg000:00000972 WHITEHOUSE_SLEEP_LOOP
After 18000h SEND()'s the worm will sleep for about four and a half hours. 
It will then repeat the attack against www.whitehouse.gov (go to step 1 of 
attack www.whitehouse.gov functionality).


--
3.
**** SANS Security Alert *****
Plus a status update of interest to most security professionals.

The rapidly spreading IIS Code Red Worm is a problem of sufficient
magnitude to bring the Internet's INFOCON Alert Status to YELLOW --
and that is now reflected at Incidents.Org.

If you or anyone you know has an IIS server, please get it patched,
now!

The patch is posted at:
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp
[Yes that's a real Microsoft site]

Two hundred thousand systems may already have been infected. If you
are unsure whether yours is one of them, turn it off after you have
patched it.  The current worm seems to disappear when the machine
is powered down, but you will be quickly reinfected if you are not
patched.

Please stay tuned to www.incidents.org and www.cert.org for further
information as it becomes available.

**************************************

--
- このメイリングリストに関する質問・問い合せ等は
- <security-talk@xxxxxxxxxx>までお知らせください
--
------------------------------------------------------------------------
　えっ、友達とのペアで毎日１００万円が当たるチャンス!　　楽ぴた倶楽部
　　                 http://www.rakupita.ne.jp/